CWS.SearchX problem

I have a serious problem with the CWS.SearchX spyware. I've tried Ad-Aware, HijackThis and CWShredder to help me and I've removed it many times. But it always come back. Sometimes right at once and sometimes it goes a few days before it returns. It's always CWS.SearchX.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ The list will produce a small database of files that will match certain criteria. You must know how to ID the file based on the filters provided in the scan, as not all the files flagged are bad. Ex: read only files, s/h files, last modified date. size, etc. The filters provided should help narrow down the list, and hopefully pinpoint the culprit. Along with that,registry scan logged at the end should match the corresponding file(s) listed. ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Unless the file match the entire criteria, it should not be pointed to remove without attempting to confirm it's nature! ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ At times there could be several (legit) files flagged, and/or duplicate culprit file(s)! If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/25)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗Member of...: (Admin logon required!) User is a member of group MORDI\Ingen.User is a member of group \Alle.User is a member of group BUILTIN\Administratorer.User is a member of group BUILTIN\Brukere.User is a member of group \LOKAL.User is a member of group NT-MYNDIGHET\INTERAKTIV.User is a member of group NT-MYNDIGHET\Godkjente brukere.

A handle was successfully obtained for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.This key has 0 subkeys.The AppInitDLLs value exists and reports as 64 bytes, including the 2 for string termination.

This will take couple or more steps to fix.(Although won't be all done yet)Be sure to Follow the next set of steps carefully, in the exact order specified:

1.)*Get ready to restart your computer.- Open the FINDnFIX\Keys1\ Subfolder And DoubleClick on the "FIX.bat" file.-You will get a prompt preparing for auto-restart in 10 seconds.-Let it restart!--------------------------------------------------------------------------2.)On restart, Go to Start/Search, and find:"D3DKEKI.DLL" (in System32 folder; as it should be visible)-When found, RightClick on the "D3DKEKI.DLL" file And select -> Cut...Immediately Goto and Open this Subfolder:C:\FINDnFIX\junkxxx <-RightClick inside it and select -> Pastehit 'ok' when/if asked on 'read only'file move prompt.Be sure the file is now here: \junkxxx\D3DKEKI.DLL--------------------------------------------------------------------------------3.) When done, Go back up one level to the main C:\FINDnFIX folder and Run the -> "RESTORE.bat" file ,It will run and generate new log (log2.txt)Post it here. ===================================================*Note:Do not change/move around or tamper with any of the file(s) folder(s) and path included in the 'FINDnFIX' folder.

*Since I last posted on July 22, you replied today--July 25!It is highly recommended to follow the steps above and submit the results as soon as possible!

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped! RightClick on the file/properties/security and check the "Allow Inheritable permissions from parent..." box. Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

-Open the FINDnFIX\Files2< Subfolder:Run the -> "ZIPZAP.bat" file.It will take about a second, quickly clean the rest and will create a zipped copy of the bad file(s) in the same folder (named as-- junkxxx.zip) and open your email client with instructions:-Simply drag and drop the 'junkxxx.zip' file from the folder into the mail message and submit to the specified addresses! Thanks!

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.